Description
The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation.
Published: 2026-04-15
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary WordPress Action Execution with potential privilege escalation
Action: Apply Patch
AI Analysis

Impact

The Avada (Fusion) Builder plugin for WordPress contains a flaw that allows authorized users with Subscriber level or higher to trigger any registered WordPress action hook through the Dynamic Data feature. By supplying crafted input to the plugin's output_action_hook function, an attacker can immediately execute any available hook, leading to privilege escalation, file inclusion, denial of service, or other exploits depending on the hooks present in the installation. The weakness is a classic code injection vulnerability (CWE-94).

Affected Systems

WordPress sites that have the Avada (Fusion) Builder plugin installed, versions based on or earlier than 3.15.1. The vulnerability is vendor specific to themefusion:Avada (Fusion) Builder and applies to every installation containing that plugin at a vulnerable version.

Risk and Exploitability

The CVSS score for this vulnerability is 5.4, indicating a medium severity. No EPSS score is currently available, and the vulnerability is not listed in the CISA KEV catalog. The only prerequisite for exploitation is that the attacker is authenticated with at least Subscriber privileges, and that a WordPress action hook is registered in the site. The likely attack vector is through the plugin's administrative interface or API where Dynamic Data requests can be formed by an authenticated user. Given the medium score and lack of publicly known exploits, the overall risk remains moderate but requires timely remediation.

Generated by OpenCVE AI on April 15, 2026 at 02:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Avada (Fusion) Builder to a version newer than 3.15.1 that removes or secures the output_action_hook function.
  • Restrict Subscriber or lower role capabilities so they cannot access Dynamic Data actions, or explicitly deny the execute action for those roles.
  • Audit existing WordPress action hooks and disable any that are unnecessary or could be abused, limiting the surface for potential exploitation.

Generated by OpenCVE AI on April 15, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 15 Apr 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress
Vendors & Products Themefusion
Themefusion fusion Builder
Wordpress
Wordpress wordpress

Wed, 15 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
Description The Avada (Fusion) Builder plugin for WordPress is vulnerable to Arbitrary WordPress Action Execution in all versions up to, and including, 3.15.1. This is due to the plugin's `output_action_hook()` function accepting user-controlled input to trigger any registered WordPress action hook without proper authorization checks. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary WordPress action hooks via the Dynamic Data feature, potentially leading to privilege escalation, file inclusion, denial of service, or other security impacts depending on which action hooks are available in the WordPress installation.
Title Avada (Fusion) Builder <= 3.15.1 - Authenticated (Subscriber+) Limited Arbitrary WordPress Action Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Themefusion Fusion Builder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-15T16:13:37.307Z

Reserved: 2026-01-27T21:14:56.116Z

Link: CVE-2026-1509

cve-icon Vulnrichment

Updated: 2026-04-15T13:47:28.648Z

cve-icon NVD

Status : Received

Published: 2026-04-15T04:17:33.173

Modified: 2026-04-15T04:17:33.173

Link: CVE-2026-1509

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T13:49:14Z

Weaknesses